netfilter: nft_hash: fix hash overflow validation
diff mbox

Message ID 20160913082144.GA5689@sonyv
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Laura Garcia Liebana Sept. 13, 2016, 8:21 a.m. UTC
The overflow validation in the init() function establishes that the
maximum value that the hash could reach is less than U32_MAX, which is
likely to be true.

The fix detects the overflow when the maximum hash value is less than
the offset itself.

Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add hash offset value")

Reported-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
 net/netfilter/nft_hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Pablo Neira Ayuso Sept. 13, 2016, 8:48 a.m. UTC | #1
On Tue, Sep 13, 2016 at 10:21:46AM +0200, Laura Garcia Liebana wrote:
> The overflow validation in the init() function establishes that the
> maximum value that the hash could reach is less than U32_MAX, which is
> likely to be true.
> 
> The fix detects the overflow when the maximum hash value is less than
> the offset itself.

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index bd12f7a..09473b4 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -76,7 +76,7 @@  static int nft_hash_init(const struct nft_ctx *ctx,
 	if (priv->modulus <= 1)
 		return -ERANGE;
 
-	if (priv->offset + priv->modulus - 1 < U32_MAX)
+	if (priv->offset + priv->modulus - 1 < priv->offset)
 		return -EOVERFLOW;
 
 	priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED]));